Method to generate a private key in a boneh-franklin scheme

ABSTRACT

The aim of the present invention is to propose an alternative scheme to the classical Boneh-Franklin scheme in order to simplify the generation and the use of the asymmetric keys. 
     According to the present invention, it is proposed a method to generate an i-th private key in a public key encryption scheme with traceable private keys formed by a public component γ (i)  and a secret component θ i , according to a maximal coalition factor k, with all arithmetic operations performed within a multiplicative group Z/qZ where q is a prime number, 
     said public component being defined as: 
       γ (i)pl =(   1   , i mod q, i   2  mod  q, . . . , i   k-1  mod  q)   
     and said secret component being defined as: 
     
       
         
           
             
               θ 
               i 
             
             = 
             
               
                 
                   ∑ 
                   
                     
                       r 
                       j 
                     
                      
                     
                       α 
                       j 
                     
                   
                 
                 
                   ∑ 
                   
                     
                       r 
                       j 
                     
                      
                     
                       γ 
                       j 
                       
                         ( 
                         i 
                         ) 
                       
                     
                   
                 
               
                
               mod 
                
               
                   
               
                
               q 
             
           
         
       
     
     where r j  and α j  are random values in the group Z/Z.

FIELD OF THE INVENTION

The aim of the present invention is to propose an alternative scheme tothe classical Boneh-Franklin scheme in order to simplify the generationand the use of the asymmetric keys.

PRIOR ART

Consider the following scenario: a center would like to broadcast somedata to l receivers, where only authorized users (typically, those whohave paid a fee) can have access to the data. A possible solution,widely deployed in commercial Pay-TV systems or in secured mediadistribution systems, for instance, consists in encrypting the datausing a symmetric key and to securely transmit to each authorizedreceiver this key which will be stored in a tamper-proof piece ofhardware, like a smartcard.

Unfortunately, tamper-resistant hardware is very difficult and/or costlyto design, since it is vulnerable to a wide variety of attacks.Therefore, a malicious user (hereafter called a traitor) can try toretrieve the decryption key from his receiver and distribute it (sell orgive away) to unauthorized users (the pirates). Depending on the natureof the encryption schemes in use, we can even imagine situations where adishonest user will try to mix several legitimate keys in order to builda new one and embed it in a pirate receiver device.

The problem of identifying which receivers were compromised and/or whichsecret keys were leaked is called traitor tracing. Usually, two modes oftraitor tracing are considered: in the black-box mode, the tracingalgorithm sends crafty ciphertexts to the rogue receiver and aims atdetermining which keys it uses while observing its behavior; in thenon-black-box model, we assume that the keys (or their combination) canbe extracted from the pirate receiver and are known to the tracingalgorithm.

Fiat and Naor [1] introduced the concept of broadcast encryption. Intheir model, there exists a set of l authorized users and thebroadcasting center can dynamically specify a privileged subset ofauthorized users that can decrypt selected ciphertexts (like high-valuecontent, for instance). Later on, Chor, Fiat, and Naor [2] introducedthe concept of traitor-tracing to thwart the problem of decryption keyspiracy in broadcast encryption schemes; their scheme is k-collusionresistant (or k-resilient) in the sense that at least one traitor isidentified with very high probability if there are at most k of them.Later on, Naor, Naor and Lotspiech [3, 4] presented more efficientbroadcast encryption schemes with tracing capabilities; it was howevershown by Kiayias and Pehlivanoglu [5] that the iterative nature of thetracing procedure allows a pirate to leverage significantly thecompromise of a few keys.

Boneh and Franklin [6] proposed a new public-key traitor-tracing schemebased on error-correcting codes, more precisely on Reed-Solomon codes.The Boneh-Franklin non-black-box traitor tracing scheme is k-collusionresistant and deterministic in the sense that all of the traitors areidentified with probability 1 as long as at most k of them collude toderive new pirate keys.

Problem to be Solved

The aim of the present application is an improved key generation andencryption mechanism for Boneh-Franklin and related schemes.

An immediate benefit of the present application is the possibility touse Reed-Solomon codes that are especially optimized to allow fasterdecryption and key generation. In practice, for large systems andcoalitions of medium size, one obtains a decryption speed improvement byalmost an order of magnitude.

The present application also addresses the beyond-threshold security ofthe Boneh-Franklin scheme: if an adversary is able to recover 2k or moresecret keys, where k is the maximal collusion size defined prior to thesystem deployment, then he is able to compute any other secret key (evenif they were not compromised) and thus, the security of the systemcompletely collapses. This is mainly due to the fact that the lineartracing code is public. In the present application we propose a way toprotect against this issue.

Boneh-Franklin Scheme Original Boneh-Franklin

We now describe the original Boneh-Franklin algorithm in details asadvertised and published in [6]. This description will be the basis forthe description of the invention for the fast and secure traceable keysand encryption/decryption mechanisms.

Group Parameters Generation

We need a group G_(q) (i.e., a set of elements equipped with amathematical operation) of prime order q in which the DecisionDiffie-Hellman problem is hard. Three main choices are thinkable, butother exist:

Scenario 1. We can work in a subgroup of order q of the group Z/pZ,where p and q are large prime numbers and where q|p−1. Typically, q is a160-bit prime number and p is a 1024-bit prime number. Group elementsare 1024-bit numbers requiring 1024 bits of storage/bandwidth;implementing Boneh-Franklin scheme on a prime-order subgroup of Z/pZrequires to be able to perform modular additions, modular subtractions,modular multiplications and modular inversions both on 160-bit and on1024-bit numbers.

Scenario 2. We can work over a group of points of an elliptic curve [3]over a finite field with characteristic 2 having in the order of 2¹⁶⁰elements. Group elements require typically 320 bits, but pointcompression techniques allow decreasing this number down to 160 bits ofstorage/bandwidth. Implementing Boneh-Franklin scheme on such a grouprequires that the receiver be able to perform additions, subtractions,multiplications and inversions on 160-bit field elements.

Scenario 3. We can work over a group of points of an elliptic curve overa finite field with a large prime characteristic and having in the orderof 2¹⁶⁰ elements.

Group elements require typically 320 bits, but point compressiontechniques allow decreasing this number down to 160 bits ofstorage/bandwidth. Implementing Boneh-Franklin scheme on such a grouprequires performing modular additions, modular subtractions, modularmultiplications and modular inversions on 160-bit numbers.

Key Generation

We now describe the traceable key public component γ^((i)) generationprocess as done in [6]. For ease of understanding, we assume from now onthat we work in a multiplicative group as described in scenario 1.Basically, the approach of Boneh and Franklin is based on the use ofReed-Solomon codes.

Given the Following Matrix

$\begin{matrix}{A = {\begin{pmatrix}1 & 1 & 1 & \ldots & 1 & \; \\1 & 2 & 3 & \ldots & l & 15 \\1^{2} & 2^{2} & 3^{2} & \ldots & l^{3} & \; \\\vdots & \vdots & \vdots & \; & \vdots & \; \\1^{l - {2k} - 1} & 2^{l - {2k} - 1} & 3^{l - {2k} - 1} & \ldots & l^{l - {2k} - 1} & \;\end{pmatrix}\left( {{mod}\; q} \right)}} & (20)\end{matrix}$

and considering a basis b₁, . . . , b_(2k) of the nullspace of A, a newmatrix is built

$\begin{matrix}{B = \begin{pmatrix} &  &  & \; &  \\b_{1} & b_{2} & b_{3} & \ldots & b_{2k} \\ &  &  & \; & \end{pmatrix}} & (21)\end{matrix}$

Consider /⁻ as being the rows of B. Thus, /⁻ contains l codewords eachof length 2k. By observing that any vector in the span of the rows of Acorresponds to a polynomial of degree at most l−2k−1 evaluated at thepoints 1, . . . , l one can construct the rows of B using Lagrangeinterpolation.

Let k denote the maximal allowed coalition size (i.e., the maximumnumber of keys that could potentially be mixed by a pirate while keepingthe tracing properties). Let g denote a generator of the group G_(q) ofprime order q in which we implement the Boneh-Franklin scheme. Let ldenote the maximum number of receivers in the Boneh-Franklin system. Let1≦i≦l denote the identity of the i-th receiver. The following values arecomputed:

1. The i-th Boneh-Franklin traceable key public component is computed asbeing the following 2k-valued vector over Z/qZ:

$\begin{matrix}{\gamma^{(i)} = \left( {{u_{i}{mod}\; q},{{iu}_{i}{mod}\; q},{i^{2}u_{i}{mod}\; q},\ldots \mspace{14mu},{i^{{2k} - 1}u_{i}{mod}\; q}} \right)} & (1) \\{where} & \; \\{u_{1} = {\left( {\prod\limits_{j = 1}^{l - 1}{- j}} \right)^{- 1}{mod}\; q}} & (2) \\{and} & \; \\{u_{i + 1} = {{\frac{i - 1}{u_{i}\left( {i - l} \right)}{mod}\; q\mspace{14mu} {for}\mspace{14mu} 2} \leq i \leq {l - 1.}}} & (3)\end{matrix}$

2. The public key is computed by generating 2k secret values r_(j):

r∈ _(R) Z/qZ for 1≦j≦2k  (4)

and computing

h _(j) =g ^(r) ^(j) for 1≦j≦2k.  (5)

Then 2k secret values α_(j) are generated:

α_(j)∈_(R) Z/qZ for 1≦j≦2k  (6)

and finally the value y is computed as

$\begin{matrix}{y = {\prod\limits_{j = 1}^{2k}h_{j}^{a_{j}}}} & (7)\end{matrix}$

The public key is then defined as being the (2k+1)-valued vector

(y, h₁, . . . , h_(2k))  (8)

3. The i-th private key secret component θ_(i) put in the i-th receiver,is derived from the i-th traceable key public component

γ^((i))=(γ₁ ^((i)), . . . , γ^(2k) ^((i))) as

$\begin{matrix}{\theta_{i} = {\frac{\sum{r_{j}\alpha_{j}}}{\sum{r_{j}\gamma_{j}^{(i)}}}{mod}\; q}} & (9)\end{matrix}$

Encryption

To encrypt a message m∈G_(q), we first generate a random value a∈_(R)Z/qZ and the ciphertext is defined as being the (2k+1)-valuedvector

(m·y ^(a) , h ₁ ^(a) , . . . , h _(2k) ^(a))  (10)

Decryption

Given a ciphertext c=(s,ρ₁, . . . , ρ_(2k)), it is easy to see that onecan recover m by computing using i-th private key secret component θ_(i)

$\begin{matrix}{m = \frac{s}{\left( {\prod\limits_{j = 1}^{2k}p_{j}^{\gamma_{j}^{(i)}}} \right)^{\theta_{i}}}} & (11)\end{matrix}$

where γ_(j) ^((i)) are the public components of the traceable privatekey which are used to derive θ_(i).

BRIEF DESCRIPTION OF THE INVENTION

In order to simplify the generation and the use of the asymmetric keys,in particular private keys in a public key encryption scheme withtraceable private keys formed by a public component and a secretcomponent, we propose a method to generate an i-th private key in apublic key encryption scheme with traceable private keys formed by apublic component γ^((i)) and a secret component θ_(I), according to amaximal coalition factor k, with all arithmetic operations performedwithin the multiplicative group Z/qZ where q is a prime number,

said public component being defined as:

γ^((I))=(1, b mod q, b ² mod q, . . . , b ^(2k−1) mod q)

and said secret component being defined as:

$\theta_{i} = {\frac{\sum{r_{j}\alpha_{j}}}{\sum{r_{j}\gamma_{j}^{(i)}}}{mod}\; q}$

where r_(j) and α_(j) are uniformly distributed random values in thegroup Z/qZ, 1≦j≦2k and where the value b may be either public and easilycomputable or secret and statistically decorrelated.

Furthermore, we propose two possible variants to encrypt any type ofmessage faster than the original Boneh-Franklin scheme with the sametracing and security properties.

DETAILED DESCRIPTION OF THE INVENTION Traceable Keys for Fast Decryption

We now present a traceable private key public component generationprocess which allows deriving public components which offer asignificantly improved decryption speed.

Previously, we noted that the components γ^((i)) can be computed usingthe recursive formula Eq. (3); this operation is typically feasible inthe broadcasting center, but not in a receiver. We can furthermore notethat, working in a usual security configuration of 2⁸⁰ operations, theelements of a public component γ^((i)) have all a length of 160 bits.

This new method works as follows: in the key generation processdescribed previously, the step 1 is replaced by

1′ We compute the i-th fast Boneh-Franklin traceable private key publiccomponent as being the following 2k-valued vector over Z/qZ:

γ^((i))=(1, i mod q, i ² mod q, . . . , i ^(2k−1) mod q).  (12)

The method presented below results in rather small exponent sizes whichcan drastically speed up the ciphertext decryption in the receiver:re-writing (11) as

$\begin{matrix}{m = {\frac{s}{\left( {\prod p_{j}^{i^{j - 1}}} \right)^{\theta_{i}}\;} = \frac{s}{\left( {\left( {\left( {p_{2k}^{i}p_{{2k} - 1}} \right)^{i}p_{2}} \right)^{i}p_{1}} \right)^{\theta_{i}}}}} & (13)\end{matrix}$

we can transform, for instance for l=2²⁰, 2k+1 modular exponentiationswith 160-bit exponents by 2k modular exponentiations with 20-bitexponents and one 160-bit exponentiation. This is more than a 7-timesspeedup.

According a particular embodiment of the invention, q is higher than2¹²⁷ in order to avoid generic attacks against the discrete logarithmproblem.

A further advantage of this method is that a receiver can compute thepublic component of the decryption key without the need to evaluate therecursive formula of Eq. (3).

Traceable Keys for Added Security

In practical scenarios, there might be a situation where an attackermight have 2k secret components θ_(i) at his disposal. This part of theinvention describes specifically how to the system can be protected insuch a case. We start by describing an attack that might occur inpractice and allow the attacker to derive every private key in thesystem.

Let us suppose than an adversary has managed to get 2k private elementsθ_(i), for 1≦s≦2k. The vectors in r/⁻={γ⁽¹⁾, γ⁽²⁾, . . . , γ^((l))} areassumed to be public. Then, we can rewrite Eq. (9) over Z/qZ as

$\begin{matrix}{\theta_{(i_{a})}^{- 1} = {\frac{\sum\limits_{j = 1}^{2k}{r_{j}\gamma_{j}^{(i_{a})}}}{\sum\limits_{j = 1}^{2k}{r_{j}\alpha_{j}}} = {\sum\limits_{j = 1}^{2k}{\omega_{j}\gamma_{j}^{(i_{a})}}}}} & (22)\end{matrix}$

with ω_(j)=r_(j)/Σr_(j)α_(j); note that the ω_(j) are unknowncoefficients to an adversary. However, with 2k private elements, we havea system of 2k linear equations with 2k variables with a single solutionrevealing the values of ω_(j) to the adversary using a simple Gaussianreduction. From those coefficients, the adversary can compute any otherprivate key θ_(i,) in the system

$\begin{matrix}{\theta_{i_{\upsilon}} = \left( {\sum\limits_{j = 1}^{2k}{\omega_{j}\gamma_{j}^{(i_{\upsilon})}}} \right)^{- 1}} & (23)\end{matrix}$

Not only the adversary will be able to create many untraceablecombinations of keys, but he will be also able to distribute newlyderived keys so that innocent users (whose keys were a priori nevercompromised) will be accused of treachery.

We now present a traceable key generation process which allows derivingtraceable keys resistant to pirates able to gather 2k keys or more. Thisnew method works as follows:

1″ We compute the i-th fast Boneh-Franklin public component of thetraceable private key as being the following 2k-valued vector over Z/qZ:

γ^((i))=(1, ζ² mod q, . . . , ζ^(2k−)mod q).  (14)

where ζ ∈_(R) Z/qZ is drawn independently and uniformly at random foreach γ^((i)).

We note that the receivers have to store the entire representation

d ^((i))=(θ_(iγ1) ^((i)), . . . , θ_(2kγ2k) ^((i)))  (15)

in tamper-proof memory and hence the abovementioned public componentbecomes secret.

A possible variant would consist in deriving ζ from i by processing iand/or additional information with a cryptographically securepseudo-random function (or permutation) parametered by a secret key.

Hybrid Encryption

To encrypt a message m∈G_(q), the standard Boneh-Franklin encryptionprocedure requires to generate a random value a ER Z/qZ and theciphertext is defined as being the (2k+1)-valued vector

(m·y ^(a) , h ₁ ^(a) , . . . , h _(2k) ^(a))  (16)

In most practical situations, the message m consists in a symmetricsession key k, which is then used to encrypt some content, since m is oflimited length (no more than 20 bytes, usually). Furthermore, onepossibly needs a hash function mapping a group element to a symmetrickey.

We propose to bypass these intermediate steps and to use one of the twofollowing possible variants to encrypt any type of message faster thanthe standard Boneh-Franklin scheme, but keeping the same tracing andsecurity properties.

1. To encrypt a message m∈{0, 1}* (i.e., a bitstring of arbitrarylength), we first generate a random value a ∈_(R) Z/qZ and theciphertext is defined as being the (2k+1)-valued vector

(m⊕PRF(n, y ^(a)), h ₁ ^(a) , . . . , h _(2k) ^(a))  (17)

where PRF(., .) denotes a cryptographically secure pseudo-randomfunction. For instance, it can be HMAC-SHA1, HMAC-SHA256 or a blockcipher evaluated on a counter and where y^(a) is considered as being thesymmetric key and n is a nonce value (e.g., a counter incrementedsufficiently many times to generate enough key stream). Here, the XORoperation ⊕ could be replaced by any group law.

2. To encrypt a message m∈{0, 1}*, we first generate a random value a∈_(R) Z/qZ and the ciphertext is defined as being the (2k+1)-valuedvector

(E(m, y ^(a)), h ₁ _(a) , . . . , h _(2k) ^(a))  (18)

where E(., .) is a block cipher or any symmetric encryption scheme basedon a block cipher, and where y^(a) is considered as being the key. Apossible variant would consist in mapping the y^(a) value to a key usinga hash function. Another possible variant is an encryption scheme E(.,.)requiring additional information, like an initial vector.

Field of Application

In Pay-TV systems, the use of traceable asymmetric keys is an advantagein terms of fighting against piracy. The Pay-TV receiver (or thesecurity module thereof) is loaded with a private key i.e., the publiccomponent γ^((i)) and the secret component θ_(i.)Each Pay-TV receiver,such as a set top-box, multimedia device or wireless portable device(DVB-H), comprises at least one private key. The secret component ispreferably stored in a secure container such as a SIM card, smartcard ofany type of tamper-proof memory.

In a practical example, a video/audio data packet PSpacket will beencrypted in the following way, assuming we are working with amultiplicative group and HMAC-SHA256 as the function PRF (see formula(17)):

generate uniformly distributed random value a

compute h₁ ^(a), h₂ ^(a), . . . h_(2k) ^(a) using 2k last elements ofthe public key (see formula (8)),

compute y^(a) using the first element of the public key,

divide the PSpacket into chunk packets of 256 bits possibly remaining aresidual packet of less than 256 bits,

initialize an index to an arbitrary constant (usually 0),

for each chunk, computing the HMAC-SHA256 of the index with y^(a) askey, the index being updated for each chunk, and applying an XORfunction (or any group operation) with the respective chunk

in case that a residual chunk exists, adjusting the HMAC-SHA256 value byextracting the number of bit corresponding to the number of bits of theresidual chunk before applying the XOR function.

transmitting to the receiver, the result values after the XOR functionand the h₁ ^(a), h₂ ^(a), . . . , h_(2k) ^(a)

In the receiver side, the received values h₁ ^(a), h₂ ^(a), . . . ,h_(2k) ^(a) are considered as 2k values i.e. ρ₁, ρ₂, . . . ρ_(2k).

In order to extract the audio/video data PSpacket, the following stepswill be executed:

computing

$y^{a} = \left( {\prod\limits_{j = 1}^{2k}p_{j}^{\gamma_{j}^{(i)}}} \right)^{\theta_{i}}$

using the γ^((i)) public component of the private key, and θ_(i) is thesecret component of the private key,

executing the same HMAC-SHA256 operation as made on the sender side, bydefining an index in the same way as defined during the encryptionoperation.

In this way, the broadcasting center can send a global, encryptedversion of audio/video packet to all receivers; those receivers decryptthe packets using their own private key. A pirate willing to implementan unofficial (unlawful) receiver will necessarily have to embed aunique private key (or a mix of several private keys) in order todecrypt the packets. Having such a rogue receiver in hands, the Pay-TVoperator can then recover the pirate private key(s) and possibly revokeit (them) using another mechanism and/or possibly take legal or anyother action against the person having purchased the original (broken)receiver(s), provided such a link exists.

Instead of mixing the packets with HMAC result, the packets areencrypted with a standard symmetric encryption scheme using a key K,this key being used at the mixing step with the HMAC result.

According to another embodiment, the encrypted packet is obtained byencrypting the said packet with a symmetric encryption scheme using they^(a) value as a key (e.g. TDES in CBC mode). According to analternative embodiment, a hashing function is first applied to the y^(a)value before being used as a key. This is preferably the case when thesize of the y^(a) value is different than the size of the symmetricencryption scheme key.

Another possible field of application concerns the protection ofsoftware against piracy. We may assume that a software is sold togetherwith a hardware dongle containing a different private key for everypackage. This dongle is able to decrypt a global ciphertext contained inthe software and getting a piece of information which is necessary tothe use of the software. If a pirate is willing to clone dongles andsell them, he must embed at least a private key. Getting such a piratedongle in hands, the software seller can then recover the involvedprivate key(s) and take legal or any other action against the personhaving purchased the original (broken) dongle(s), provided such a linkexists.

REFERENCES

-   [1] A. Fiat and M. Naor, “Broadcast encryption”, CRYPTO'93, Lecture    Notes in Computer Science 773, pp.480-491, Springer-Verlag, 1994.-   [2] B. Chor, A. Fiat and M. Naor, “Tracing Traitors”, CRYPTO'94,    Lecture Notes in Computer Science 839, pp. 257-270, Springer-Verlag,    1994.-   [3] J. Lotspiech, D. Naor and M. Naor, “Method for broadcast    encryption and key revocation of stateless receivers”, U.S. Pat. No.    7,039,803.-   [4] J. Lotspiech, D. Naor and M. Naor, “Method for tracing traitor    receivers in a broadcast encryption system”, U.S. Pat. No.    7,010,125.-   [5] A. Kiayias and S. Pehlivanoglu, “Pirate evolution: how to make    the most of your traitor keys”, CRYPTO'07, Lecture Notes in Computer    Sciences 4622, pp. 448-465, Springer-Verlag, 2007.-   [5] D. Boneh and M. Franklin, “An efficient public-key traitor    tracing scheme”, CRYPTO∝99, Lecture Notes in Computer Sciences 1666,    pp. 338-353, Springer-Verlag, 1999.

1. Method to generate an i-th private key in a public key encryptionscheme with traceable private keys formed by a public component γ^((i))and a secret component θ_(i), according to a maximal coalition factor k,with all arithmetic operations performed within a multiplicative groupZ/qZ where q is a prime number, said public component being defined as:γ^((i))=(1, i mod q, i ² mod q, . . . , i ^(2k-1) mod q) and said secretcomponent being defined as:$\theta_{i} = {\frac{\sum{r_{j}\alpha_{j}}}{\sum{r_{j}\gamma_{j}^{(i)}}}{mod}\; q}$where r_(j) and α_(j) are random values in the group Z/qZ.
 2. Method ofclaim 1, in which q is higher than 2¹²⁷.
 3. Method of claim 1, in whichthe corresponding public key is defined as: (y, h₁, . . . , h_(2k))where h_(j)=g^(r) ^(j) for 1≦j≦2k and g is a generator of amultiplicative group G of order q, and y=Π_(ƒ=1) ^(2k)h_(j) ^(a) ^(j) .4. Method of claim 1, in which the corresponding public key is definedas: (y, h₁, . . . , h_(2k)) where h_(j)=^(r)j^(g) for 1≦j≦2k and g is agenerator of an additive group G of order q, and y=Σ_(ƒ=1)^(2k)α_(j)h_(j).
 5. Method of claim 1, in which i is selected from 1 tol, l being the number of generated different private keys correspondingto a given public key.
 6. Method of claim 1, in which i is selected from1 to l, l being the number of generated different private keyscorresponding to a given public key this method further: generating apseudorandom value ζ_(i) in the range of 1 to q-1, q being at leastlarger than l, the public component being defined as:γ^((i))=(1, ζ_(i), ζ_(i) ², . . . , ζ_(k) ^(2k−1)). associating to thegenerated secret key data, the pseudorandom value ζ_(i).
 7. Method ofclaim 6, in which the pseudorandom value ζ_(i) is calculated from i suchas for each i, only a unique ζ_(i) is obtained.
 8. Method of claim 6, inwhich the pseudorandom value ζ_(i) is calculated from i and anadditional bit string, this calculation being made such as for each i,only a unique ζ_(i) is obtained.
 9. Method to decrypt a ciphertext cwith the private key as generated according to the claim 1, to obtain amessage m, the ciphertext being formatted as follows: c=(s, c₁, . . . ,c_(2k)); s, c₁, . . . , c_(2k) are members of a multiplicative group Gof order q, the decryption being as follows:$m = \frac{s}{\left( \; {\prod c_{j}^{\gamma_{j}^{(i)}}} \right)^{\theta_{i}}}$where all the arithmetic calculations are performed in saidmultiplicative group G of order q.
 10. Method to decrypt a ciphertext cwith the private key as generated according to the claim 1, to obtain amessage m, the ciphertext being formatted as follows: c=(s, c₁, . . . ,c_(2k)); s, c₁, . . . , c_(2k) are members of an additive group G oforder q, the decryption being as follows:m=s−(Σc _(j)γ_(j) ^((i)))θ_(i) where all the arithmetic calculations areperformed in said additive group G of order q.
 11. Method to decrypt aciphertext c with the private key as generated according to the claim 1,to obtain a message m, the ciphertext being formatted as follows: c=(s,c₁, . . . , c_(2k)); c₁, . . . , c_(2k) are members of an additive groupG of order q, and s is an arbitrary bitstring, the decryption being asfollows: m=D_(K)(s) and where K is a computed as follows: K=(Σc_(j)γ_(j)^((i)))θ_(i) where all arithmetic calculations are performed in saidadditive group G of order q, and D is the decryption operation of asymmetric encryption scheme and K is the key.
 12. Method to decrypt aciphertext c with the private key as generated according to the claim 1,to obtain a payload m, the ciphertext being formatted as follows: c=(s,c₁, . . . , c_(2k)); c₁, . . . , c_(2k) are members of a multiplicativegroup G of order q, and s comprising at least the encrypted payload m,the decryption being as follows: m=D_(K)(s) and where K is a computed asfollows: K = ( ∏c_(j)^(γ_(j)^((i))))^(θ_(i)) where all arithmeticcalculations are performed in said multiplicative group G of order q,and D is the decryption operation of a symmetric encryption scheme and Kis the key.
 13. Method of claim 11, wherein the encrypted payload sfurther contains additional information required by the symmetricdecryption scheme D.
 14. Method of claim 12, wherein the encryptedpayload s further contains additional information required by thesymmetric decryption scheme D.
 15. Method of claim 11, wherein saidsymmetric decryption scheme D uses K′=H(K) where H is a hash function.16. Method of claim 12, wherein said symmetric decryption scheme D usesK′=H(K) where H is a hash function.
 17. Method of claim 13, wherein saidsymmetric decryption scheme D uses K′=H(K) where H is a hash function.